build(deps): bump datasette from 0.65.1 to 0.65.2 in /python

[dependabot]

Bumps datasette from 0.65.1 to 0.65.2.

Release notes

Sourced from datasette's releases.

0.65.2

• Fixes an open redirect security issue: Datasette instances would redirect to example.com/foo/bar if you accessed the path //example.com/foo/bar. Thanks to James Jefferies for the fix. #2429
• Upgraded for compatibility with Python 3.14.
• Fixed datasette publish cloudrun to work with changes to the underlying Cloud Run architecture. #2511
• Minor upgrades to fix warnings, including pkg_resources deprecation.

Changelog

Sourced from datasette's changelog.

0.65.2 (2025-11-05)

• Fixes an open redirect security issue: Datasette instances would redirect to example.com/foo/bar if you accessed the path //example.com/foo/bar. Thanks to James Jefferies <https://github.com/jamesjefferies>__ for the fix. (:issue:2429)
• Upgraded for compatibility with Python 3.14.
• Fixed datasette publish cloudrun to work with changes to the underlying Cloud Run architecture. (:issue:2511)
• Minor upgrades to fix warnings, including pkg_resources deprecation.

.. _v1_0_a20:

1.0a20 (2025-11-03)

This alpha introduces a major breaking change prior to the 1.0 release of Datasette concerning how Datasette's permission system works.

Permission system redesign

Previously the permission system worked using ``datasette.permission_allowed()`` checks which consulted all available plugins in turn to determine whether a given actor was allowed to perform a given action on a given resource.
This approach could become prohibitively expensive for large lists of items - for example to determine the list of tables that a user could view in a large Datasette instance each plugin implementation of that hook would be fired for every table.
The new design uses SQL queries against Datasette's internal :ref:catalog tables <internals_internal> to derive the list of resources for which an actor has permission for a given action. This turns an N x M problem (N resources, M plugins) into a single SQL query.
Plugins can use the new :ref:plugin_hook_permission_resources_sql hook to return SQL fragments which will be used as part of that query.
Plugins that use any of the following features will need to be updated to work with this and following alphas (and Datasette 1.0 stable itself):

Checking permissions with datasette.permission_allowed() - this method has been replaced with :ref:datasette.allowed() <datasette_allowed>.
Implementing the permission_allowed() plugin hook - this hook has been removed in favor of :ref:permission_resources_sql() <plugin_hook_permission_resources_sql>.
Using register_permissions() to register permissions - this hook has been removed in favor of :ref:register_actions() <plugin_register_actions>.

Consult the :ref:v1.0a20 upgrade guide <upgrade_guide_v1_a20> for further details on how to upgrade affected plugins.
Plugins can now make use of two new internal methods to help resolve permission checks:

:ref:datasette.allowed_resources() <datasette_allowed_resources> returns a PaginatedResources object with a .resources list of Resource instances that an actor is allowed to access for a given action (and a .next token for pagination).
:ref:datasette.allowed_resources_sql() <datasette_allowed_resources_sql> returns the SQL and parameters that can be executed against the internal catalog tables to determine which resources an actor is allowed to access for a given action. This can be combined with further SQL to perform advanced custom filtering.

Related changes:


The way datasette --root works has changed. Running Datasette with this flag now causes the root actor to pass all permission checks. (:issue:2521)


Permission debugging improvements:

The /-/allowed endpoint shows resources the user is allowed to interact with for different actions.
/-/rules shows the raw allow/deny rules that apply to different permission checks.
/-/actions lists every available action.
/-/check can be used to try out different permission checks for the current actor.



</tr></table>

... (truncated)

Commits

• 6a14146 Release 0.65.2
• c434ce0 Switch from pkg_resources to importlib.metadata
• 7d28ca1 Fix datetime.utcnow deprecation warning
• f626983 Fix BeautifulSoup deprecation warnings in tests
• 9becb04 Fix for BeautifulSoup findAll warnings
• 13c338c Get publish cloudrun working with latest Cloud Run (#2581)
• 98d4037 Add 3.14 to metadata
• e152091 Don't run CI against Python 3.9
• 764b460 Run readthedocs on 3.11
• d90bdf7 Fixed a couple of spelling errors
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.